APPENDIX A: Fast-Flux Proxy Samples

There have been noticeable advancements the flux agent presented in this document over the past year, including the migration away from arbitrary TCP connections to obtain clear text instructions, using an HTTP library to obtain downloaded instructions, settings and binary updates, and finally the most recent variants that receive control settings via encoded update files. The following examples demonstrates a short historical timeline of just one fast-flux service network malware variant responsible for all double-flux service networks referenced in this research. It is worth noting that we have observed evidence supporting five distinct fast-flux service nets in operation on the Internet but have not acquired malware samples for all variants to support in depth study.

A prehistoric sample of flux-agent code (according to Internet time). We first observed
nodes infected with this malware in the middle of 2006, but only acquired a malware sample
for analysis in November 2006: